Ballmer on why Windows is more secure than Linux

A trip to Disneyland

Microsoft chief executive Steve Ballmer yesterday defended the company's record on security, arguing that, contrary to popular opinion, Windows was easier to secure than its open source rivals.

During a showpiece Interview with analysts during Gartner's ITXpo in Orlando, Ballmer went as far as suggesting data from security clearing house CERT supported his controversial assertion that Windows was subject to fewer vulnerabilities than popular Linux distros, such as Red Hat.

According to Ballmer, four critical vulnerabilities were discovered in the first 150 days after the release of Windows 2003, compared with 17 found in the same time following the release of Win2000.

"The first 150 days of Red Hat 6, go check the number, just go check the number. It's five to ten times higher than what we are showing," Ballmer said.

But vulnerabilities in Red Hat include flaws with the applications that run and top of the distro as well as the distro itself, so Ballmer has latched onto a misleading comparison. In absolute terms, the number of Microsoft security alerts is decreasing. But this doesn't tell the whole story either, as the seriousness of particular problems and how widely they are exploited are not taken into account.

Blame game

Academics believe that the security of open and closed source platforms to be roughly equivalent. Sysadmins says that patching Windows for security updates is more problematic than is the case with Linux. Despite this, Ballmer continues to find fault with open source security.

"There's no roadmap for Linux. There's nobody to hold accountable for security issues with Linux. There's nobody sort of, so to speak, rear end on the line for issues; it may or may not be an issue," he said.

And what of Microsoft's own Trustworthy Computing initiative, now approaching its second birthday? Ballmer admits that Redmond's effort to address patching issue are overdue but he points to the progress the company has made thus far.

"Since we embarked on what I might call the trustworthy computing release process, we've made dramatic strides; maybe not good enough, four critical vulnerabilities, still not good enough, but we've made dramatic strides," Ballmer said.

"We put a lot of effort and energy into improving our patching process, probably later than we should have and now we're just gaining incredible speed. Our patching process needs to be more predictable, people want smaller patches, we need one simple installation process for patches, which we haven't had, we need rollback on patches, we need a more consistent patch policy, people want more predictability about when they come out, and people want better patch management tools."

"There's a whole set of things that people absolutely want and we've been raising our game," he added, referring to Microsoft's plans to provide improved "inspection and shield" technologies.

Security is 'top priority' for Redmond

Ballmer gave one of his strongest statements to date that giving people confidence in the security of Microsoft's products is "absolutely our top priority.

"We've got our best brains on it. We've told people anything we need to do - acquiring new technologies, people, approaches - we should put our heads down and go get that stuff done. And we're not going to let anything stand in the way.

"We understand this is an issue of customer satisfaction. It could slow down progress on IT for the whole industry."

The last remark is telling. Ballmer's sees security as a difficult stretch of water to be navigated or a roadblock to "innovation", not as a process that needs to be continual, with trade-offs made to manage risks within business requirements.

Gartner analysts correctly identified one of the key security problems Microsoft has yet to address. Whatever the compamy is doing now in terms of improving its code quality most of the problems ("probably 95 per cent") are from code that was written six, seven, eight years ago.

Ballmer was asked if Microsoft was going to rewrite some of this code over time or start over in a few years?

His reply was far from convincing: "There are some things that, in the 20-year time horizon, I'm sure we will redo, and perhaps others will as well," he said, before moving on to discuss new security models based on XML technology.

This is not good enough and touches the heart of the problem, namely the lack of compelling commercial incentives for Microsoft to improve older software.